Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-42:Path Equivalence: 'filename.' (Trailing Dot)
Weakness ID:42
Version:v4.17
Weakness Name:Path Equivalence: 'filename.' (Trailing Dot)
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB41Improper Resolution of Path Equivalence
ChildOfAllowedV162Improper Neutralization of Trailing Special Elements
ParentOfAllowedV43Path Equivalence: 'filename....' (Multiple Trailing Dot)
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 41
Name: Improper Resolution of Path Equivalence
Nature: ChildOf
Mapping: Allowed
Type: Variant
ID: 162
Name: Improper Neutralization of Trailing Special Elements
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 43
Name: Path Equivalence: 'filename....' (Multiple Trailing Dot)
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
MemberOfProhibitedC1404Comprehensive Categorization: File Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1404
Name: Comprehensive Categorization: File Handling
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism
N/A
Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2000-1114
Source code disclosure using trailing dot
CVE-2002-1986
Source code disclosure using trailing dot
CVE-2004-2213
Source code disclosure using trailing dot
CVE-2005-3293
Source code disclosure using trailing dot
CVE-2004-0061
Bypass directory access restrictions using trailing dot in URL
CVE-2000-1133
Bypass directory access restrictions using trailing dot in URL
CVE-2001-1386
Bypass check for ".lnk" extension using ".lnk."
Reference: CVE-2000-1114
Description:
Source code disclosure using trailing dot
Reference: CVE-2002-1986
Description:
Source code disclosure using trailing dot
Reference: CVE-2004-2213
Description:
Source code disclosure using trailing dot
Reference: CVE-2005-3293
Description:
Source code disclosure using trailing dot
Reference: CVE-2004-0061
Description:
Bypass directory access restrictions using trailing dot in URL
Reference: CVE-2000-1133
Description:
Bypass directory access restrictions using trailing dot in URL
Reference: CVE-2001-1386
Description:
Bypass check for ".lnk" extension using ".lnk."
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/ATrailing Dot - 'filedir.'
      Software Fault PatternsSFP16N/APath Traversal
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Trailing Dot - 'filedir.'
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP16
      Fit: N/A
      Entry Name: Path Traversal
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found